7.4. Content Security Policy (CSP)


You can specify Content Security Policy (CSP) directives for your dynamic plugin using the contentSecurityPolicy field in the ConsolePluginSpec file. This field helps mitigate potential security risks by specifying which sources are allowed for fetching content like scripts, styles, images, and fonts. For dynamic plugins that require loading resources from external sources, defining custom CSP rules ensures secure integration into the OpenShift Container Platform console.

重要

The console currently uses the Content-Security-Policy-Report-Only response header, so the browser will only warn about CSP violations in the web console and enforcement of CSP policies will be limited. CSP violations will be logged in the browser console, but the associated CSP directives will not be enforced. This feature is behind a feature-gate, so you will need to manually enable it.

For more information, see Enabling feature sets using the web console.

7.4.1. Key features of Content Security Policy (CSP)

A Content Security Policy (CSP) is delivered to the browser in the Content-Security-Policy-Report-Only response header. The policy is specified as a series of directives and values. Each directive type serves a different purpose, and each directive can have a list of values representing allowed sources.

7.4.1.1. Directive Types

The supported directive types include DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, and FontSrc. These directives allow you to specify valid sources for loading different types of content for your plugin. Each directive type serves a different purpose. For example, ScriptSrc defines valid JavaScript sources, while ImgSrc controls where images can be loaded from.

7.4.1.2. Values

Each directive can have a list of values representing allowed sources. For example, ScriptSrc can specify multiple external scripts. These values are restricted to 1024 characters and cannot include whitespace, commas, or semicolons. Additionally, single-quoted strings and wildcard characters (*) are disallowed.

7.4.1.3. Unified Policy

The OpenShift Container Platform web console aggregates the CSP directives across all enabled ConsolePlugin custom resources (CRs) and merges them with its own default policy. The combined policy is then applied with the Content-Security-Policy-Report-Only HTTP response header.

7.4.1.4. Validation Rules

  • Each directive can have up to 16 unique values.
  • The total size of all values across directives must not exceed 8192 bytes (8KB).
  • Each value must be unique, and additional validation rules are in place to ensure no quotes, spaces, commas, or wildcard symbols are used.
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

关于红帽文档

Legal Notice

Theme

© 2026 Red Hat
返回顶部